Introduction

The AAF supports OpenID Connect (OIDC) connectivity and operates an OpenID Provider (OP) which authenticates users who have an account at any AAF subscriber Identity Provider (IdP). This service is a production choice available to AAF subscribers to connect their OIDC services to the Federation.

 

The AAF operates the OP service without subscriber documentation or marketing. There are no service management interfaces or self-service options for registering or managing a connector. The AAF Support Team is the key contact for all service requests and changes to connectors. 


Details

Before registering an OIDC service, deployers must have sufficient experience in undertaking OIDC integration work to create their own Relying Party (RP) components with minimal help from the AAF technical team. There are several open-source libraries which implement most of the RP requirements in several languages, GitHub is an excellent resource, as is the OpenID Foundation. https://openid.net/developers/libraries/. The AAF does not offer support or advice in this area, and the choice depends on the subscriber’s strengths and existing knowledge of OIDC integration. 


The AAF OP satisfies the OIDC conformance testing framework and passes the Authorization Code and Implicit flows. Since its inception, monitoring of this service shows that outside of a few seconds when deploying a new release, it has been highly available. The AAF monitors the OP during business hours and responds to service interruption issues promptly.

 

To register a new OIDC RP please contact support@aaf.edu.au and include the following details:

  1. The service’s redirect URL - a redirect URL based on an actual URL rather than IP address and must use HTTPS.
  2. A descriptive name for the service.
  3. The organisation name, which must be an AAF subscriber, of the service.
  4. Indicate the service’s purpose - development/testing/production-ready.


Once the technical team receives a registration, they will reach out and establish a secure messaging channel via https://keybase.io. New accounts on Keybase are currently free of charge. Over the secure communication channel, the technical team will supply values for the RP service generated during the registration process, including Client ID and secrets.

 

The AAF OIDC service supports querying the OP Configuration Information endpoint to retrieve the features and capabilities of the OIDC service. The AAF OP provides two endpoints, one for Production Federation and one for Test Federation, respectively:

https://central.aaf.edu.au/.well-known/openid-configuration

https://central.test.aaf.edu.au/.well-known/openid-configuration.


Details for the Production Federation are here:

$ curl https://central.aaf.edu.au/.well-known/openid-configuration | jq

{
  "issuer": "https://central.aaf.edu.au",
  "authorization_endpoint": "https://central.aaf.edu.au/providers/op/authorize",
  "token_endpoint": "https://central.aaf.edu.au/providers/op/token",
  "jwks_uri": "https://central.aaf.edu.au/providers/op/jwks",
  "id_token_signing_alg_values_supported": [
    "RS256",
    "ES384"
  ],
  "subject_types_supported": [
    "public",
    "pairwise"
  ],
  "response_types_supported": [
    "code",
    "id_token",
    "id_token token",
    "code id_token",
    "code token",
    "code id_token token"
  ],
  "scopes_supported": [
    "openid",
    "profile",
    "email",
    "phone",
    "aueduperson"
  ],
  "userinfo_endpoint": "https://central.aaf.edu.au/providers/op/userinfo",
  "claim_types_supported": [
    "normal"
  ],
  "claims_locales_supported": [
    "en"
  ],
  "claims_parameter_supported": false,
  "display_values_supported": [
    "page"
  ],
  "grant_types_supported": [
    "authorization_code",
    "implicit"
  ],
  "op_policy_uri": "https://central.aaf.edu.au/documentation/policy",
  "op_tos_uri": "https://central.aaf.edu.au/documentation/tos",
  "request_parameter_supported": false,
  "request_uri_parameter_supported": false,
  "require_request_uri_registration": true,
  "response_modes_supported": [
    "query",
    "fragment"
  ],
  "service_documentation": "https://central.aaf.edu.au/documentation/developers",
  "token_endpoint_auth_methods_supported": [
    "client_secret_basic",
    "client_secret_post"
  ],
  "ui_locales_supported": [
    "en"
  ],
  "userinfo_signing_alg_values_supported": [
    "RS256",
    "ES384"
  ]
}


Links

AAF Production OIDC Provider https://central.aaf.edu.au/.well-known/openid-configuration 

AAF Test OIDC Provider https://central.test.aaf.edu.au/.well-known/openid-configuration 

OpenID OIDC Developer Libraries https://openid.net/developers/libraries/ 

OpenID OIDC Overview https://openid.net/specs/openid-connect-core-1_0.html#Overview 

OpenID OIDC Terminology https://openid.net/specs/openid-connect-core-1_0.html#Terminology